vfs_fruit bug in ACL get/set.
Jeremy Allison
jra at samba.org
Fri Mar 2 17:14:59 UTC 2018
Hi Ralph,
I just created:
https://bugzilla.samba.org/show_bug.cgi?id=13319
------------------------------------------------
In fruit_fget_nt_acl() the 3 extra ACE entries
corresponding to mode/uid/gid are always added
to the returned ACL as virtual ACE entries that
are not expected to be stored in the file ACL on disk.
In fruit_fset_nt_acl() the client-sent ACL is applied
to the file, then the mode entry (if sent) is used to
do the CHMOD - but the client-sent ACL is applied
without removing any virtual ACE entries.
If a naive client just round-trips get/set/get/set,
on every set the 'virtual' ACE entries will be stored
in the xattr.
I think the correct action on fruit_fset_nt_acl()
is to check for - then *remove* any virtual ACE
entries sent by the client before passing down
to the underlying SET_NT_ACL call.
(Discovered by code review when designing a similar
mechanism for SMB2 UNIX extensions).
----------------------------------------------
I'm happy to fix as a pre-requisite patch for my
SMB2 unix extensions work, but I wanted you to
take a look so I can get your opinion.
Cheers,
Jeremy.
More information about the samba-technical
mailing list